Jesús Linares / Wazuh have recently released OSSEC decoders for all current (v3.11) Sysmon EventIDs. Up until this point, I had been maintaining primarily just EventID 1 (Process Creation), but now we have the added benefits of parsed logs for the following Sysmon Events:
ID2: A process changed a file creation time
ID3: Network Connections
ID4: Sysmon service state changed
ID5: Process Terminated
ID6: Driver Loaded
ID7: Image Loaded
ID8: CreateRemoteThread
This is a great addition, as we can now start writing rules against thread injection events, unsigned drivers being loaded, etc.
You can find the decoders on Github: https://github.com/wazuh/ossec-rules/blob/master/rules-decoders/ossec/decoders/windows_decoders.xml
-Josh
Defensive Depth 